Enabling key rotation for Kubernetes authentication

Enabling key rotation for Kubernetes authentication helps to achieve the security common practices that require periodic encryption key rotation.

To enable key rotation, add the annotation keyrotation.csiaddons.openshift.io/schedule: <value> to either Namespace, StorageClass, or PersistentVolumeClaim in order of precedence.

Set the <value> either @hourly, @daily, @weekly, @monthly, or @yearly based on your requirement. If the <value> is empty, @weekly is set by default.

Important: Only RADOS Block Device (RBD)-related volumes support key rotation.

Examples of enabling key rotation with the value @weekly are as follows:

Namespace

For example, run the following command to get the default namespace details:

 oc get namespace default

Example output:

NAME      STATUS   AGE
default   Active   5d2h

Run the following command to enable the key rotation to the default namespace:

$ oc annotate namespace default "keyrotation.csiaddons.openshift.io/schedule=@weekly"

Example output:

namespace/default annotated

StorageClass

For example, run the following command to get the rbd-sc StorageClass details:

 oc get storageclass rbd-sc

Example output:

NAME       PROVISIONER        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
rbd-sc     rbd.csi.ceph.com   Delete          Immediate           true                   5d2h

Run the following command to enable the key rotation to the rbd-sc StorageClass:

 oc annotate storageclass rbd-sc "keyrotation.csiaddons.openshift.io/schedule=@weekly"

Example output:

storageclass.storage.k8s.io/rbd-sc annotated

PersistentVolumeClaim

For example, run the following command to get the data-pvc PersistentVolumeClaim details:

 oc get pvc data-pvc

Example output:

NAME      STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS      AGE
data-pvc  Bound    pvc-f37b8582-4b04-4676-88dd-e1b95c6abf74   1Gi        RWO            default           20h

Run the following command to enable the key rotation to the data-pvc PersistentVolumeClaim:

 oc annotate pvc data-pvc "keyrotation.csiaddons.openshift.io/schedule=@weekly"

Example output:

persistentvolumeclaim/data-pvc annotated

Replacing key rotation schedule

To replace the current key rotation schedule with a new one, follow these steps:

  1. Run the following command to get the existing schedule details:

     oc get encryptionkeyrotationcronjobs.csiaddons.openshift.io

    Example output:

    NAME                    SCHEDULE    SUSPEND   ACTIVE   LASTSCHEDULE   AGE
data-pvc-1642663516     @weekly                                       3s

  2. Run the following command to overwrite the existing schedule with a new one:

     oc annotate pvc data-pvc "keyrotation.csiaddons.openshift.io/schedule=*/1 * * * *" --overwrite=true$

    Example output:

    persistentvolumeclaim/data-pvc annotated

  3. Run the following command to check whether the new schedule is set:

     oc get encryptionkeyrotationcronjobs.csiaddons.openshift.io

    Example output:

    NAME                  SCHEDULE    SUSPEND   ACTIVE   LASTSCHEDULE   AGE
data-pvc-1642664617   */1 * * * *                                   3s